MacOS – Are applications required to be installed to the /Applications folder in order to be sandboxed

applicationsmacossandbox

I have an application installed in the ~/Applications folder. I've been using it for years with no problems. But after a recent update this application started giving me warnings that it should be installed in the main /Applications folder. But still it is working just fine, and I see no reasons to move it out from where it is now (aside from this annoying warning).

So I asked the application's support team, why do they want me to have their application installed exactly in /Applications, and here's the answer they gave me:

In order to be fully sandboxed the application must be installed into the /Applications folder

Is it really so? Mac OS sandboxes only applications installed in the /Applications? Is it stated somewhere in Apple's documentation? I could only find this article (the section about launching helpers).

And additional question: does it mean that ~/Applications (or any other) folder is "less secure" then for installing applications?

[Update]

I've got another answer from support: now they're saying that it's sandboxing and access to code signature verification API what requires them to have their application installed exactly at /Applications. I've posted a Stack Overflow question about that.

Best Answer

No, it is not really so. Being or not being stored in /Applications is not the determining factor in deciding whether or not an app is sandboxed.

No, other folders are not "less secure" than /Applications.

You haven't described which application in particular you're dealing with, but I would guess that you're running into a specific limitation on sandboxed applications - namely helpers:

An application can include a helper that is run in background using LaunchService - i.e. it runs even though you haven't started the main application.

However, a sandboxed application can only automatically start a helper if the application is stored in /Applications!

Note that there are other requirements that must be fulfilled also, but this is the one with relevance to sandboxing and the /Applications folder. The other requirements are for example that the helper must be signed (similar to the main application) and that the user must have manually started the helper before it can be automatically started.

You can read about macOS sandboxing in more detail here:

https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AppSandboxInDepth/AppSandboxInDepth.html

Related Solutions

MacOS – How Should I Correct the Owners and Permissions in an OS X User Folder

The first step I would recommend is to try resetting your home folder permissions with the Reset Password utility in Lion Recovery. (Despite the name of the utility, you won't actually be resetting any passwords.)

Resetting the home folder permissions with the Reset Password utility will reset both the owner and the permissions.

Restart your Mac holding ⌘+R to boot into Lion Recovery, which will bring you to the Repair Utilities screen.
Open Terminal from the Utilities menu.
In Terminal, enter resetpassword to open the Reset Password utility.
Choose your hard drive icon at the top, then choose your user from the drop-down menu below. Do not reset the password here.
At the bottom of the window, under "Reset Home Directory Permissions and ACLs", click the "Reset" button. This may take awhile if you have a lot of files in your home folder.

This should solve your permissions problems for most apps. However, it's possible you may have a few apps which had saved files with special permissions that are different from the user's default permissions (like preferences or application support files). For those apps, you may need to delete their preferences or reinstall the app.

If resetting your home folder permissions doesn't work, then you may need to try restoring from a backup or transferring your data to an external drive.

MacOS – How To Disable OS X Mavericks USB autorun

You need to remove the auto launch job with the launchctl command.

For example, in my case I have already installed a modem manufactured by ZTE. So I searched for LAUNCHD listings using the launchctl list command and grepped for those modem strings.

launchctl list | grep -i zte

Showing:

5681    -   cn.com.zte.usbswapper.plist

If you do not find your app, then output all the jobs to a file. This awk command tries to overcome the chance that you may have spaces in your launchd job name.

launchctl list 2>/dev/null | awk '
{ x="\""substr($0, match($0, $3), 100)"\""; print x; system("launchctl list " x) }
' > launchList.txt

Open launchList.txt. The name of the launchd job will be shown in "..." above the {} block where you hopefully find a "Mobile Partner" or "AutoOpen" string.

Perhaps inspect the item to be more confident before removal. Surround by "" if there are spaces in the job name.

launchctl list "cn.com.zte.usbswapper.plist"

Then just remove it. This is the command to stop the auto load. Be very sure you are removing the correct agent or deamon.

launchctl remove "cn.com.zte.usbswapper.plist"

Add it again if you want, using the full path of the PLIST file.

launchctl load /Library/LaunchAgents/cn.com.zte.usbswapper.plist

[Update]

Best Answer

Related Solutions

MacOS – How Should I Correct the Owners and Permissions in an OS X User Folder

MacOS – How To Disable OS X Mavericks USB autorun

Related Question